25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Does HIPAA Apply to Workers Comp?

Posted By on Feb 2, 2025

HIPAA does not apply to workers comp inasmuch as workers compensation insurers and administrative agencies are not required to comply with the HIPAA Administrative Simplification Requirements. However, HIPAA does apply to disclosures of Protected Health Information by HIPAA covered entities for workers comp purposes.

HIPAA does not apply to workers comp because, when Congress passed the Health Insurance Portability and Accountability Act in 1996, it adopted the “excepted benefits” clause of the Public Health Service Act (42 USC 300gg-91(c)(1)). Among other excepted benefits, workers’ compensation and similar insurance were listed as “benefits not subject to requirements”.

Consequently, when the Department of Health and Human Services published the HIPAA Administrative Simplification Requirements and the original HIPAA Privacy Rule in 2000, policies, plans, and programs that provided or paid for the cost of excepted benefits – including workers compensation – were excluded from the definition of a health plan (45 CFR §160.103).

This means that workers compensation insurers, administration agencies, workers comp boards, and the workers comp element of employers’ self-insured health plans are not required to comply with the HIPAA Privacy, Security, or Breach Notification Rules. However, they are required to comply with state data protection and breach notification regulations.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

How Does HIPAA Apply to Workers Comp Disclosures?

Although providers of excepted benefits are not required to comply with HIPAA, healthcare providers that qualify as HIPAA covered entities must still comply with applicable standards of the HIPAA Privacy Rule when disclosing Protected Health Information (PHI) for workers comp purposes. However, which standards of HIPAA apply to workers comp disclosures varies depending on state regulations and whether an authorization is required.

Generally, most covered entities can rely on 45 CFR §164.512(l) of the HIPAA Privacy Rule to disclose PHI for workers comp purposes. However, this standard limits how much PHI can be disclosed to the minimum necessary to achieve the purpose of the disclosure – absent of any state law to the contrary. For this reason, some states mandate by regulation what PHI must be disclosed to insurers and administrative agencies to support workers comp claims.

When state regulations mandate what PHI must be disclosed, the “required by law” standards of HIPAA apply to workers comp disclosures (45 CFR §164.512(a)) inasmuch as healthcare providers can disclose more than what HIPAA would consider the minimum necessary up to the limit required by the state regulations. Any further disclosures of PHI must be supported by a valid HIPAA authorization signed by the injured party or their personal representative.

How Protected Health Information is Disclosed Also Matters

While which standards of HIPAA apply to workers comp disclosures varies depending on state regulations, how PHI is disclosed also matters when it is disclosed electronically. Unlike disclosures of between HIPAA covered healthcare providers and HIPAA covered health plans – which are most often via an online portal – disclosures of PHI for workers comp purposes are more likely to be conducted by email and governed by the HIPAA Security Rule.

This means that – even though transactions between a HIPAA covered entity and a workers comp insurer are not HIPAA covered transaction – the email service used to send PHI to insurers must comply with the security standards for HIPAA compliant email and a Business Associate Agreement must executed with the provider of the email service. It is not necessary to execute a Business Associate Agreement with the recipients of workers comp emails.

In addition, workforce members responsible for responding to insurers’ requests for PHI will typically have a high level of access to PHI. Consequently, in addition to receiving HIPAA training on the minimum necessary standard and when authorizations are required, it must also be explained to them why they must take care with disclosing login credentials, verifying the identity of entities that request PHI, and ensuring PHI is emailed to the correct recipients.

Healthcare providers who are unsure about how does HIPAA apply to workers comp disclosures in their location are advised to seek legal advice on the state’s workers comp regulations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist